Adding introduction to WebGoat as the web interface opens with WebWolf which is confusing because people thought you needed to download WebWolf and start it directly. Feedback received during workshops

2017-11-02 14:28:20 +01:00 · 2017-11-02 14:28:20 +01:00 · 87a7521dcd
commit 87a7521dcd
parent 8729d9bfcf
11 changed files with 125 additions and 1 deletions
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@ -27,6 +27,7 @@
        <module>xxe</module>
        <module>idor</module>
        <module>vulnerable-components</module>
+        <module>webgoat-introduction</module>
        <module>webwolf-introduction</module>
 	    <module>auth-bypass</module>
        <module>missing-function-ac</module>
--- a/webgoat-lessons/webgoat-introduction/pom.xml
+++ b/webgoat-lessons/webgoat-introduction/pom.xml
@ -0,0 +1,11 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webgoat-introduction</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0.0.M2</version>
+    </parent>
+</project>
--- a/webgoat-lessons/webgoat-introduction/pom.xml.versionsBackup
+++ b/webgoat-lessons/webgoat-introduction/pom.xml.versionsBackup
@ -0,0 +1,11 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webwolf-introduction</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+</project>
--- a/webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/plugin/WebGoatIntroduction.java
+++ b/webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/plugin/WebGoatIntroduction.java
@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class WebGoatIntroduction extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.INTRODUCTION;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return new ArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 1;
+    }
+
+    @Override
+    public String getTitle() {
+        return "webgoat.title";
+    }
+
+    @Override
+    public String getId() {
+        return "WebGoatIntroduction";
+    }
+}
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
+</div>
+
+</html>
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties
@ -0,0 +1 @@
+webgoat.title=WebGoat
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc
@ -0,0 +1,21 @@
+== Introducing WebGoat
+
+
+---
+What is WebGoat?
+
+WebGoat is a deliberately insecure application that allows interested developers just like you to _test vulnerabilities_
+commonly found in Java-based applications that use common and popular open source components.
+
+Now, while we in no way condone causing intentional harm to any animal, goat or otherwise, we think learning everything
+you can about security vulnerabilities is essential to understanding just what happens when even a small bit of
+unintended code gets into your applications.
+
+What better way to do that than with your very own scapegoat?
+
+Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your heart’s content.
+Go ahead, and Hack the goat. We promise he likes it.
+
+Thanks for your interest!
+
+*The WebGoat Team*
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
@ -2,7 +2,7 @@
 <html xmlns:th="http://www.thymeleaf.org">

 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
+    <div class="adoc-content" th:replace="doc:IntroductionWebWolf.adoc"></div>
 </div>

 <div class="lesson-page-wrapper">
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
@ -1,5 +1,8 @@
 == Introducing WebWolf

+NOTE: You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without
+starting WebWolf.
+
 WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
 make a clear distinction between what takes place on the attacked website and the actions you need to do as
 an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@ -174,6 +174,11 @@
            <artifactId>auth-bypass</artifactId>
            <version>${project.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>webgoat-introduction</artifactId>
+            <version>${project.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.owasp.webgoat.lesson</groupId>
            <artifactId>webwolf-introduction</artifactId>